Honestly it depends on the application.
Over time I have seen @RolesAllowed work only about 60-70% of the
time. I think an EL enabled authorization annotation will cover a
further 80-90%. For the rest I am afraid it's down to using
SecurityContext directly, perhaps in an interceptor most of the
time. The annotation way is just a lot more easy and readable.
On 7/10/2018 12:15 PM, Erik Östlund wrote:
Is there a good case for offering authorization
logic programming functionality via annotations? Most
applications I've come across require a single group and the
RolesAllowed annotation is a great fit for that.
I find the programmatic authorization style prevalent in many
JAX-RS applications to be very readable plus it allows the
developer to reuse that knowledge when working with other access
control models:
@GET
@Path("{id}")
public Thing doGetById(@PathParam("id") Long id) {
Thing thing =
thingRepository.find(id).orElseThrow(NotFoundException::new);
if (securityContext.isUserInRole("Employee") &&
securityContext.isUserInRole("Administrator")) {
throw new ForbiddenException();
}
return thing;
}
_______________________________________________
es-dev mailing list
es-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/es-dev